Main menu

Post navigation

Computer security can be complex and there are a slew of books available on this subject. They are well intended advises that work most of the times and for most people. The basic principal in these security advises include:

Remove local administrator rights for the user account

Only login as administrator account, if and when necessary

Use strong password and change them periodically

Keep both operating system and application patched all the times

Implement layered security, don’t just rely on antivirus products

etc….

These are all well intended and useful that can be verified by evaluating white/gray/black hats recommendations for mitigating exploits. Take for example Parvez’ posting on the subject of User Access Control (UAC) escalation, quote:

Office documents are opened in medium integrity so these are ideal targets to abuse the UAC bypass. Since these bypasses are so effortlessly achieved the only real course of action would be to set UAC to “Always notify” or remove local admin rights for the user. In the end, using agents like Microsoft EMET or MalwareBytes Anti-Exploit would be the best mitigating action to take from initially being exploited in the first place.

The fact that a gray hat, Mr/Ms Pervez, agrees with security experts should prompt you to follow their advise. So, you go ahead and add Microsoft EMET and MalwareBytes Anti-Exploit (MBAE) to expand your layered computer security protection. Since EMET is free for Windows OS and MBAE does have a free for home use version, it wasn’t too bad and you feel good about the added security protection.

Then one day, or rather frequently, Oracle’s Java update comes along and you install it. After all, keeping applications updated is one of the security advises. So, you download the file named “JavaSetup8u91.exe” from Oracle and use “run as administrator” to install it. The executed file will download additional files that will start installing the update. Well, first you’ll need to decide, if you want to allow additional software to be installed, like this one:

Or this one:

You can install these PUPs (Potentially Unwanted Program, or Potentially Unlimited Profits for Oracle depending on your view) or not, your choice. Now the Java update installation will start and displays the process status:

Let’s not start discussion about 3 Billion devices are vulnerable pretty much all the times, let the installation finish. Except that the newly acquired Microsoft EMET stops the installation with a popup message:

As a result, the Java update failed notice is displayed:

As a security conscious person, your initial reaction is “Did I just try to install some malware?” Or, is this just a false detection by EMET? You go ahead and check the download source, file properties, including the digital signature and everything looks just a OK.

Disable EMET for the time being and restart the Java update. That didn’t help, the installation still fails with error code: 1603. Then disable MalwareBytes Anti-Exploit and the installation still fails. As a last ditch effort, you disable the antivirus and finally, the Java update completes successfully.

Really Oracle? It’s not enough that Java is a popular target for malware, due to its less than ideal code base. What’s next, we will need to disable layered security protection just to enable Java to run on our computers?

Maybe we should “start discussion about 3 Billion devices are vulnerable pretty much all the times” after all…

Password had been with us for a very long time and has shown incredible persistence. Despite countless attempts and near-universal agreement to replace them, passwords are more widely used than ever. Poor security is obviously the main concern of security experts. However, since even strong authentication technologies are vulnerable to certain attacks, more details on exactly what is required of a replacement is essential.

The U.S. government’s 2011 NSTIC initiative, “National Strategy for Trusted Identities in Cyberspace”, summarizes things concisely: “passwords are inconvenient and insecure”. The summary suggests that the implicit goal is “more security, more usability (at reasonable cost)”. There is little to disagree with here; however, it does not point into the direction that would be a suitable replacement. The resources protected by passwords are diverse, from local and corporate accounts, financial accounts with substantial assets, throwaway email accounts, web forum accounts and so on. Clearly, not all type of accounts have the same security needs. Nor do all people have the same security needs; politicians and celebrities in general may require better protection than others need for banking. What should be the starting point for evaluating technologies for the password replacement?

Evaluating the current vulnerabilities for password authentication system is a good starting point. After all, one of the implicit goal for the new authentication method is more security. While usability and cost are important, they usually take a backseat when increased security is required. The end-users and upper management certainly will disagree, but let us just go with the initial assumption and aim for secure authentication.

Password requirements have changed substantially during the years. Long gone are the short alpha and/or numeric only password, at least should be at resources where security is important. Most, if not all systems allow settings password policies that includes complexity, account lockout after x number of attempts and defines expiration as well. Guessing complex and relatively frequently expired passwords is not that productive. It is more of a “my lucky day” type off guess, if successful.

So, what is wrong with the password? It is vulnerable to key-loggers, social engineering, and password cracking.

Arguably, the client devices are the most susceptible for having the account credentials stolen. The source of this issue is the malware-infected devices that had been with us for a long time and will continue in the near future. The bad news? The compromised host or a mobile device enable cyber-criminals to bypass virtually every two-factor authentication system.

Social engineering is manipulating people so they give up the sought after information. The types of information the “social engineer” is seeking can vary, but usually centers on account credentials, financial information, etc. Once the account integrity compromised, the “social engineer”, or designee bypasses virtually any authentication system.

Password cracking requires the password hash that is stored on the device locally, or on the authentication server. Without password hash, none of the password cracking solution would be able to decipher the password. Cyber-criminals utilize various means to obtain access to the password hash, such as exploiting system vulnerabilities, client devices and social engineering. With the compromised authentication server at their disposal, cyber-criminals are capable of bypassing virtually any authentication system.

Are these password vulnerabilities, or the culpability belongs to somewhere else?

The logical answer is that both the client devices and servers are responsible for the password vulnerability. Securing these devices should be the first step in preserving the integrity of the account credentials. Otherwise, the biometric or other types of authentication methods may not provide the desired level of account security. For cyber-criminals, it does not make a difference, if the stolen account credential is password or fingerprint for example. Well, there is a difference. It is easier to replace the password than the fingerprint. Not to mention that while passwords are unlimited, fingerprints for the end-user in question limited to ten.

Based on history, securing the client devices and authentication servers is not likely to take place anytime soon. In which case, replacing password with other authentication methods may provide a seemingly marginal security improvement. The security improvement might turn out to be temporary in nature. At least until the cyber-criminals develop malware that exploits different authentication methods with ease on a wide scale. Keep mind that there is malware available now that capable to exploit two-factor authentication method.

Do we really need to replace the password authentication method now, without addressing the system vulnerabilities first?

SplashData recently has released their annual list of the 25 most widely used bad passwords. The blog noted, quote:

“In SplashData’s fifth annual report, compiled from more than 2 million leaked passwords during the year, some new and longer passwords made their debut – perhaps showing an effort by both websites and web users to be more secure. However, the longer passwords are so simple as to make their extra length virtually worthless as a security measure.”

The number of leaked passwords in 2015 had been much more than two million. Chances are that the actual number is a lot larger. Just the Ashley Madison security breach in 2015 netted the hacker(s) 34 million passwords. While I don’t doubt the authenticity of SplashData and the top 25 list based on their number, the chances are that the analysis is somewhat skewed.

SplashData does provide some advice on password protection via simple tips like this one, quote:

“Use passwords or passphrases of twelve characters or more with mixed types of characters”

Wait… Weren’t most, if not all, leaked passwords related to websites’ security breaches? If they were, what is the difference between the “123456” and the “3pHj1P38JVF4” password? In reality, the difference is nothing. Other than the obvious that the end user will have a hard time remembering the twelve character randomly generated password. Let’s face it, as long as the hacker(s) can download the password database, it does not matter if password complexity is in place or not.

Information Technology (IT) people can go ahead and ridicule the end users for their choice of passwords. Doing so will result in couple of funny stories, but the jokes are on them. Here’s 2016 and IT people still cannot secure the password databases.

Despite all of this, it will not stop IT people from requiring the end users to use long and complex passwords, use special characters, include upper and lower case letters, have numerals, different passwords for each account, to not write them down, and to change them frequently. Doing any combination of the aforementioned will not likely matter. No wonder the end users cringe when the IT guys/gals shows up…

None of the top lists would be possible by simply guessing the password or via social engineering. The number of passwords obtained by these means would not be sufficient for statistical purposes. Let’s not throw the end users under the bus and do what needs to be done. Secure the password databases IT people…

“Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Malware may be stealthy, intended to steal information or spy on computer users for an extended period without their knowledge, it may be designed to cause harm, often as sabotage (e.g., Stuxnet), or to extort payment (CryptoLocker).”

In legal mumbo-jumbo, it’s called “computer contaminant” and there are number of laws that carry a stiff penalty, if and when the perpetrator(s) are caught.

Except when it comes to law enforcement…

Federal, and presumable local, law enforcements agencies, had been purchasing malware for surveillance purposes. The solution purchased by your tax dollars is a “turn-key Remote Control System” that manages infecting computers/portable devices including smartphones, collects data from the victims… oops, from the suspects, deletes itself from the target system, etc. Most of the solutions are purchased from Italy, France, Israel, etc., and it is booming market. Just in recent years, DEA and US Army had purchased $1.2M worth of hacking… oops, surveillance tools.

From the recipient’s perspective, there’s no difference between the malware and computer surveillance. In either case, the system is compromised and it’s at the mercy of malware, or surveillance.

How do you differentiate between the good and bad guys? How do you differentiate between hackers and law enforcement agencies compromising your system?

The answer for the first question is simple, you don’t. There’s no difference between the two, regardless of the purpose of the hacking.

The answer to the second question is more complex. Generally, hackers compromise your system for financial gain, stealing information etc. You’ll know in a relatively short timeframe if and when the hacker owns your system. On the other hand, law enforcement surveillance/hacking you won’t know about, until they show up with an arrest/search warrant.

Protection against the malware, be that by hackers or law enforcement agencies, are limited. The major culprit for this limitation is the vulnerability of operating systems and applications, in addition to technologies developing against malware. By no means I am suggesting that software companies intentionally leave some backdoors in their software. While it is possible, I am not that suspicious… yet…

But I am suspicious enough to suspect that antivirus company may exempt the “surveillance tools” from being detected in their solutions. It’s probably relatively easy to achieve, but unfortunately, the actual hackers’ can easily mimic these “surveillance tools” and evade detection.

Depending on where live, you may want to install an antivirus and other security solution that is developed in a foreign country. For example… If you live in the US, Kaspersky might be a better solution than Symantec for detection surveillance tools from US law enforcement agencies. The drawback is that Kaspersky may not detect Russian hackers and law enforcement agencies malware.

Microsoft vulnerability report for 2014 is available from Aveco. The report evaluation centered on critical vulnerabilities, 240 of them in 2014. Subjectively selected statistics from the referenced report:

Of the 240 vulnerabilities in 2014 with a Critical rating, 97%were concluded to bemitigated by removing administrator rights

99.5% of all vulnerabilities in Internet Explorer could be mitigatedby removing admin rights

80% ofall Microsoft Vulnerabilities reported by us in 2014 could be mitigated by removing admin rightsvs 60% in 2013

That’s right, just by removing admin rights for your user account, you’d be immune to 232.8 while remaining vulnerable to 7.2 critical vulnerabilities in 2014. The statistics for 2014 vs. 2013 is impressive, Microsoft Security is moving in to the right direction. 20% increase for security just for removing admin rights is a great improvement.

This blog had been emphasizing the importance of removing the admin rights for your daily user account in this pervious blog. The short version is that any programs, scripts, etc., that gets on your system will be executed under local administrator access rights. Weather you know this or not, it does not matter for the malware, it just wants to take a hold of your system on the easy way.

Microsoft does not make it easy for the end users not to have admin rights for your user account. Quiet the opposite, the Windows installation routine assigns local administrator access to the first account created during the setup. Instead of asking the end user for creating two accounts, one user account for daily use and the other for local administrator access if and when necessary.

Microsoft is missing an opportunity to provide end user training during the Windows installation routine. Instead of all of the “mumbo-jumbo” about the necessity of using your Microsoft account for creating your user ID, Microsoft should provide briefing about the importance of the two different accounts and their overall impact for the system security.

If you feel compelled to change your user account type, this blog provides instruction for removing the admin right for your daily user account. After reading the referenced report, there’s really no reason for not changing the account type…

Threat Brief‘s “DailyThreat Brief, or DTB, is a daily open source intelligence report modeled after the concept of the President’s Daily Brief (PDB). Every day the analysts of Cognito succinctly provide insights into global risk and security issues in ways that can reduce your personal and business risks and inform your strategic decision making.” You can subscribe to receive email highlights of these reports on a daily basis, more or less useful for security people.

Threat Brief does not use their business email server to send out the daily briefs, smart, they subscribe to a service provider that tracks the links in the email that you’d click on :

That’s nothing new, this have been done on the regular basis. What’s new is that the list-manage.com site does not show the email clicked link in the browser, if the browser happens to be IE11, secured as it should be in addition to Ghostery blocking tracking script.

The tracking script is blocked by Ghostery is from MailChimp Tracking:

Cue the jokes about monkey business, etc… 🙂

While tracking isn’t necessarily a security risk for the most part, certainly can be, it is a threat for the privacy of the end user without question. Now, why would Treat Security utilize a third-party mass-mailer that results in privacy and potential security risks for the recipients of the Daily Threat Brief? That’s beyond me… Isn’t that a contradiction to the intended purpose of the threat brief?

After evaluating the “risk and security issues” of the employed tracking method for the daily threat emails, unsubscribe is in order. Fortunately, there’s an unsubscribe link on the bottom of the daily brief, let’s see how that one works…

The not so cute PUPs are Potentially Unwanted Programs that may come preloaded on your brand new computers, or installed alongside of programs that you add later. Just how prevalent these PUPs are? For example, 62% of the top 50 download @download(dot)com website includes PUPs.

So, what are these PUPs why are they pushed to you? They can be anything, such as adware, browser toolbars, homepage hijackers, nagging scare-ware, etc.

Adware is pretty much self explanatory; it’ll monitor your internet access and pops up ads related to you activities. While the popup ad can be annoying, like during your power point presentation (ugh!), this puppy will also collects your personal information and sends it “home”.

Browser toolbars install themselves into your browser to make your internet “browsing easier”. In exchange, this puppy will collect and send your personal information “home”, may popup ads, or redirects your search results to its paying customers’ websites based on your internet activities.

The homepage hijacker changes your current home page and acts as the browser toolbar afterward.

Nagging scare-ware is the trial version of security software. This software promises to clean up and secure your computer. The trial version will allow scanning your system, presents a scary results, but it does not allow you to fix them until you actually purchase a licensed version. The scary results have nothing to do with the state of your computer, they are auto-generated by the software to entice you to purchase the program. This puppy may have any of the other puppies integrated that will install as well.

Ok… They are not breaking my computer, so what’s the harm?

Other than changing the behavior and performance of your computer, they also collects information about you. This information can be extensive and correlated to offline data to tailor the popup ads to you and redirect your search result based on this information. The collected information about you also sold/traded to data brokers.

Ok… But I have nothing to hide and they probably have everything about me anyway.

That’s seemingly a fair point, but… Your computer performance will degrade and your search result isn’t what you are looking for. Some people like popup ads and that’s fine, can’t argue with that. How you view your privacy is also a personal preference.

Except that data brokers want current information about the person, since that is what valuable for them. Old data is pretty much useless as far as popping up ads is concerned. They are more than willing to pay for it and that is the main reason why these PUPs exist. If you don’t mind being a product created by these PUPs, there’s one more thing you should consider.

Malicious malware had started to utilize these PUPs to do their dirty work for them. They tie into these programs to collect your information, redirect your browser to download their malware and take over the control of your computer. Once they do, they will make you pay a ransom to have your computer back. You don’t have to believe me, just read this blog from Malwarebytes.

So, what can I do about these PUPs?

Prevention is the best proactive measure that you can take for PUPs free computer. Pay attention to the installation routine of the program that you want. Most of the PUPs are included as a recommended “additional program” that is selected by default to be installed. In most cases, you can deselect the recommended program and it won’t be installed. The more aggressive installation routines don’t allow you to deselect the PUP and some of them installs it hidden from you.

Ok, what do I do then?

Once you settled down and stopped swearing, my recommendation is installing programs that removes PUPs. There are two of them on my computers that used on a weekly basis:

Preferably, download and install both of them, update the engine if needed to, and run them one by one. While they are very good at removing PUPs, each software has its limitation. Just do it at least once and you’ll see how many PUPs you had on your computer. You can select to keep them, if you don’t mind the privacy and security risk that these PUPs pose to your computer, or delete them. You should also run these anti-malware programs on a weekly basis, if you want to have a PUPs free computer.

In the previous blog, we’ve looked at how malvertisement may affect you and what you can do to protect your system(s) against this threat vector. In today’s blog, we’ll look at the actual distribution channels and the cost for displaying malvertisement.

Beyond the advertisement shown in your browser, there’s a well established business model that isn’t that much different from any other business models.

The picture on the left shows the typical business model. Basically the products are created (including malvertisement), sold to distributers, who in return make them available to consumers.

The difference is how other distribution channels are regulated and the requirements are enforced by various government agencies. You’d had hard time in the U.S. purchasing food at your supermarket, without FDA approval, buy a car without NHTSA approval, etc.

Unfortunately, the online advertisements are loosely regulated, with minimal, or no enforcement whatsoever. There’s no need for approval by the website or the advertisement network. They will pretty much blindly refer your browser to the site, where the actual ad is hosted. The actual site could be hacked websites, hosted servers, etc.

Hackers had discovered that they can just bid to display their ads at various sites. Since anyone can bid to display their ads, including the maximum price per displaying the ad, this is an easy way to have the malware distributed by reputable websites. The hackers’ malware incorporated in an ad (we call malvertisement), they bid to display their ad at targeted websites, and the advertiser network kicks in. When you visit the targeted websites, the ad becomes part of the website’s content, any script in the ad executed by your browser without you clicking on it. You probably recall a few websites that had some music and/or video already playing just by visiting their home page. This is the type of ad delivery that hackers use to load malware on to your system.

The process described is automated to the level that the chances are no humans evaluate the actual ad during this process. As such, malware is distributed without any warning. The sole exception might be your system protection that should stop the malware execution.

So, what is the actual cost for the hackers to display their ads? That depends on the website, where the ads are displayed. Malwarebytes blog states $0.927 per displayed ad with current malvertisement at the following websites:

dailymotion.com

theblaze.com

nydailynews.com

tagged.com

webmail.earthlink.net

mail.twc.com

my.juno.com

Why neither the advertisement network, nor the websites are responsible for delivering malware in the ad, is beyond me. Holding the hackers responsible for the ad, but taking their money nonetheless, should be illegal.

Since your system protection should stop the malware, it raises a question. Why don’t the advertisement companies and websites test the ad for malware, prior to presenting it to the end users? It’s really not that hard to do:

Advertiser receives the bid for the ad

Client sends the ad to the advertiser

Advertiser scans the ad for malware

Advertiser approves the ad, if no malware found, and hosts it on their server

Websites receive the ad from the advertiser, if they opt into their program

It’s harder to test the ad for malware by the website, but not impossible; real-time scanning for malware had been in existence for decades. The chances are that implementing such system would offset some or large part of the financial gains of displaying ads..

If security software on the client side can stop the malware, there should be no reason why advertisers and websites cannot scan the ad for malware. Samples of security programs that can stop 0-day malware:

There are certainly other security solutions that can stop 0-day malware, but antivirus isn’t one of them. The samples above are part of the security protection for my systems.

It’s unlikely that either the regulation or the advertisement distribution online will change anytime soon. There’s too much money to be made in the current ad delivery schema. As such, your favored website(s) might be serving up malware to your system that may just gobble them up. You should protect your system against them and by now, you should know that antivirus will not protect you.

The legitimate website is supporting its operation cost by displaying adds from advertisement clearing houses. The actual add is downloaded in the background by your browser and the content of it is loaded, usually on the right side of the main content, but can be anywhere, including popping up the ad.

The ads can be useful for some people, but mainly annoying to others. It’s a business model where you receive “free” content and the website in question earns money to operate the site. You don’t necessarily need to click on the link in the ad to generate income for the website, just displaying the ad earns income for the website. The size of the income does increase, if and when the visitor clicks on the ad.

So, what’s wrong with this business model? The short answer is… nothing. The long answer…

The advertisement clearing houses collects potential clients, pretty much in discriminatively since their income depends on clients advertising products. Clearing houses also sell the client advertisement to other clearing houses, in addition to advertising companies selling it to these clearing houses. The cross selling is mainly due to the clearing house clients, some have more than others and in targeted advertisement it is important which website(s) will display the ad(s). As such, by the time the advertisement makes its way to the website, the actual ad could be originating from US, Europe, Asia, etc., and may have been going through 6-10 online advertisement companies.

The problem is that neither of the companies, including the website where it’s displayed, check the content of the advertisement for malware. As such, hackers love this venue for distributing their malware. They can create their ad, including malware, that may mimic legitimate products, and purchase advertisement time at the targeted website through the advertisement clearing house network. While the link is in their ad, you don’t need to click on the link to have the malware executed. It will load in the background as the website in question loads and in five minutes flat, your system is compromised.

So, what can you do against malvertisement based attacks? After all, like most people, you cannot give up visiting favored sites…

Notifying the website in question doesn’t do much good, especially after your system had been infected by the malware. The best a notification can achieve is that the malvertisment will be removed from the website, that will prevent other people getting their systems infected. Hackers will just purchase ad time with different fake brand name, may use the same malware, or create a new one.

Antivirus isn’t provide much of a protection against malware in advertisement, since the malware utilized isn’t know as of yet. Once it is known and blocked by antivirus, the hackers will create a new malware, and the perpetual cycle of unknown to known malware begins…

So, does that mean that there isn’t really much one can do, other than not using the internet? No, not really….

Let’s look at how the malware works in the malvertisement. The “payload” in the malware exploits known vulnerabilities in different applications. Different, as in most malware will try exploiting 3-4 different but vulnerable applications. Here’s a list of vulnerabilities that had been exploited in a recent malvertisement:

CVE-2013-2551 (Internet Explorer)

CVE-2014-0322 (Internet Explorer)

CVE-2010-0188 (Adobe PDF Reader)

CVE-2013-2460 (Java)

CVE-2014-0497 (Flash)

The underscored first four digit in the CVE numbers indicates the year the vulnerability had been discovered, while the second four digit is a serial number for the vulnerability for all applications, operating systems, etc., in the given year.

The list above is a mixture of old and new vulnerabilities where the malware will try exploiting the applications. Once the exploit had been fully executed, the malware will stop processing the rest of the vulnerabilities. The order of list arbitrary in this blog, it does not indicate the actual order how the malware will process them.

So, what does this information tell you?

I can just hear you say, “I know, I know!”, and you are correct. Keeping your system and applications up to date will prevent most of the malvertisement or malware exploiting your system. Just keep doing it and you should be much better off than most people who do not…

Malware targets applications, hardware, and operating systems (OS) by exploiting known/unknown vulnerabilities in their software code. Why is that important to know? Well, knowing which components of your computer used for exploit is half of the battle in protecting your system. If you don’t want to read about this subject and just want to protect your system, here’s a shortcut for protecting against malware…; the link will take you to my blog on the subject…

Comparing malware introduced in subsequent years, in our examples below 2012 vs. 2013, will not just identify the main targets, but also show the direction that the malware heading. It should also remove some of the myth, that people have about system vulnerabilities… Let’s look at the target types first, shall we?

By and large, the applications are the most targeted software for exploits, followed by hardware and operating systems. Let’s leave the hardware out of this analysis, that’s another blog, and continue with the operating system platforms.

The operating system vulnerability had increased by close to 300% across all popular platforms, pretty much evenly. The number of critical vulnerabilities increase from year to year had been from 30 to close to 100%. The greater number of vulnerabilities for Windows platform is largely due to the greater operating system market share for Windows. Believe it or not, hackers do know about ROI (Return on Investment) and prefer to target Windows platform dues to its market saturation.

The vulnerability of the Mozilla browsers seems to start decreasing as its market share decreasing, while Chrome had about 50% increase due to its growing market share. Internet Explorer (IE) vulnerabilities on the other hand tripled from year to year, keep in mind that IE numbers include version 6 to 10. In another word, non-supported but still used versions.

JAVA is one of the hackers favored applications, right after the Adobe software. It’s easy to program a JAVA applet and most people do have JAVA installed. It does help that the auto update feature is broken most of the times and the security updates aren’t as frequent as they should be.

The Adobe Acrobat Reader is probably the hackers most favored application. Practically everyone with computer has this application and Adobe isn’t known for creating secured code and/or releasing security patches in a timely manner.

The number of Flash Player vulnerabilities had actually decreased from year to date. That’s good news, but mainly due to the news that Adobe had announced that stopped developing flash for the mobile platform. The replacement for flash will be HTLM version 5 and Adobe AIR. Hopefully, the desktop platform will be the next where flash disappears.

There are other hackers favored applications, such as Microsoft Office, media players, etc., but these applications did not have the size of growth year-to-year as the applications listed above.

So, again, why is that important to know? Well, if you keep your operating system and applications up to date, you’ve just substantially decreased the chance of your system being exploited…